Securing schematics/pcb files and firmware source

[hammerhead]

In 3-months time I will be moving to another city and leaving the job that I have been in for the past 16yrs.  The owner of the company knows me well and has trusted me to create the hardware and firmware for the products we manufacture.  There is nobody within the company who can take over may position and the owner is paranoid that whoever he hires to replace me could steal our designs.   What safeguards do other companies have in place to restrict access to files and prevent employees from downloading files to USB or smartphone, or email.  Yet at the same time, allow access to certain files as needed.

For example, if they need to update or revise a circuit board, they will need access to copies of the original schematic/pcb files to make the changes, but somehow prevent them from moving the files offsite.

Webmail clients make it difficult to monitor emails and disabling USB entirely is not an option because the dev tools (not to mention mouse/keyboard) need USB to function.

Does anybody have any thoughts/ideas on what we can do to improve security in this area?

[Gallymimu]

This level of paranoia just slows the company down.  A malicious person will always be able to get the files, and may even do so through social engineering.  People are always the weak link.

That said it is possible to secure things at high overhead.  Military prime contractors with secure facilities use simple principles.  No record-able media may leave or enter the facility.  No external network connections are allowed through which data could leave or enter the facility.  On the far other end.  Trust people and don't restrict their ability to get work done.

Anything else is some compromise between efficiency and security.

It's unlikely that the firmware and hardware are so magical and wonderful that it is worth stealing.  Also, the company presumably has some strength of IP, sales channels, and brand recognition such that it would be hard to penetrate.  Additionally, you have legal recourse if someone steals confidential info.

[mars01]

Technically, unless the company owner decide to install X-ray scanners and the like, I don't think someone can really protect information.
It is said that once someone knows a secret then that information is no longer a secret.
You know, there are people with photographic memory, how can you protect from that?!

The least that the owner can do is to make the employees sign an NDA (or some other forms of legalities) and monitor the access to that information's.

Usually a product is a complex one so he can make sure that nobody has the complete picture except some people he pays good, maybe give them shares to the company to co-interest them. So, compartmentalization.
I saw this strategy used in one of the companies where I used to work and it was efficient but to be honest, if someone really wants to steal some IP, he will.

We all want complete security but reality contradict that.

[hammerhead]

Thank you for your responses.

It's unlikely that the firmware and hardware are so magical and wonderful that it is worth stealing.

I agree with you 100%, and I'm the one who developed this magical and wonderful product!  I have been pushing for non-dislosure agreements and contract provisions that would bind them legally from doing anything of the sort.  But beauty, as they say, is in the eye of the beholder.  And in the owner's eyes, this is the greatest, most revolutionary product of its kind in the world and should be protected as such.

Perhaps then, I should broaden the question.  In the absence of military-grade security protocols and beyond a standard NDA, what policies or contract provisions would you suggest implementing to limit the likelihood (and defuse the paranoia) that would also be practical and without (much) negative impact on morale, efficiency and productivity? 

[mars01]

He can use a good HR psychologist, one that can help employ honest people.
Give them a good pay and rewards on each project (money or free time or other perks).
Make sure that the rewards are well targeted and based on competence.
Make the employee part of the "family" (maybe a not so rigid work schedule as long as the job is done).

Bottom line is that it should be a job that you want to keep. For a while at least. And when you leave, you should leave in OK terms not angry. That way, the issue of "making the owner pay" angry attitude is minimized and so the chances for the information's to leave the site are minimized too.

[optikon]

  And in the owner's eyes, this is the greatest, most revolutionary product of its kind in the world and should be protected as such.

Then it should have been protected by patent before released into the public domain. This would at least give a legal recourse and also discouragement from others profiting from the design (if it was stolen)
Short of that, NDA and contract agreements are not as strong legally to pursue if there is a violation. The boss needs to have a good judge of character? Sorry, but to keep the business machine running, there has to be full disclosure to the employee the boss hired to do the job.

[CocaCola]

Then it should have been protected by patent before released into the public domain. This would at least give a legal recourse and also discouragement from others profiting from the design (if it was stolen)

The cold hard truth is that patents are only as good as the money you are willing to invest protecting them...  Sure it might discourage some but it won't prevent anyone from copying your design...  9/10 you will never even be able to recover your court cost when you attempt to shut down someone as they just go bankrupt or they are foreign owned companies that don't give a hoot about your 'judgement'...  Sadly patent protection nowadays has become a protection for those with millions in liquid assets to spend on lawyers and legal fees...  And the same is pretty much true of NDA, even if someone violates a NDA if they have no assets you won't be collecting anything at the end of the day...

That said to the OP, nothing you do short of keeping the designs and all manufacturing in house and controlling who has access to the facility and providing access with tons of security and screen will do much good...  Nowadays for example bare board thumb drives could be hidden just about anywhere, even technically swallowed so stopping anyone with access to the files from stealing them is for all intents useless...  Just look at all the files Wikileaks releases, many from highly secure government computers and institutions...

Also consider this, if it can be built it can be reverse engineered and copied, in fact their are entire multi-million dollar businesses in Asia set up to do just this, especially for electronics...

Sometimes you just have to take basic steps to secure who has access to what and then just focus on selling your product and not constantly looking behind wondering if someone is going to bootleg it...

One last thing, most design are 'bootlegged' by companies outsourced to manufacture them and Asian companies are not shy...  I have seen this first hand, I had a friend looking to create a reproduction of an item that the patent had long expired on, there was one reproduction on the market but it had a few flaws this guy wanted to address...  Needless to say he started to send his CAD renders to companies in Asia to get quotes, and low and behold unknown to him he had sent it to the same company that was manufacturing the existing reproduction that was already on the market...  The manufacturing company with no integrity then offered to sell the existing reproduction with no tooling or setup fees to him vs retooling to build his version...  I also had another friend that had some items manufactured in Asia, 6 months later his design was being sold all over Ebay by every Asian electronics seller for less then he was being charged...

[medik]

In addition to what has been said, I think the emphasis should be on maintaining good market share (brand name), lower cost of production as this would make the design less attractive to steal and give the company a fighting chance to remain competitive should there be a substitute product.
The cost of some Chinese goods in the market has deterred a lot of guys with good designs from going the commercial route.

I agree absolutely that anything can be reversed engineered once the interest is indicated.
At best, keep the firmware controlled.

[CocaCola]

At best, keep the firmware controlled.

For most common chips even that can be dumped, generally for $1000 or less sometimes in house for these Asian bootleg companies...  Plus there is no shortage of decent programmers that can recreate the firmware, yeah it might not be perfect but it can generally be created good enough to be competitive, it's not like most people stealing designs are aiming for 'quality' or 'brand loyalty' they are in it for the quick buck...

[Parmin]

There is nothing secure to someone that really want to steal info.

Improve your design all the time, so by the time any info were leaked out it is already obsolete.

[Sideshow Bob]

Then it should have been protected by patent before released into the public domain. This would at least give a legal recourse and also discouragement from others profiting from the design (if it was stolen)

Getting a patent may be very expensive. And the day you get the patent. Your invention will be very public. As one of the requirement for a patent is to publish a detailed description of your invention. A patent dispute may be taken to court. But it will be a civil court. And very often a long and very expensive process. The part with the deepest pockets may win. The bottom line is that a patent may not be a good protection as many think

[vern]

You can try to split your designs so that no single person has access to the whole thing, or put something in your design that is like a black box to everyone except you which is absolutely necessary to run your design. Could be a piece of software or some hardware.
With schematics and layouts that should not be to hard.
These things can be cracked of course, but you need a high criminal energy which may be to much for most people or the occasional thief.
It would also help in a court of justice if you can show that you put some security measures in your design. it might also point to the culprit if your design turns up somewhere else.

[HULK69]

What is the product anyway? just curious!